Issue: Password sent via email



Submitted by listrophy on Fri, 01/18/2008 - 13:34.

From a security standpoint, two things are going wrong here:
-Users' passwords are being sent in cleartext via email.
-Which implies that passwords are being stored on the server in cleartext.

In a properly secured web application, neither of these should happen. Of course, the registration and sign-in process should technically occur in an SSL tunnel... that might be a bit excessive for this site.

Basically, a user's password should only ever be sent over the internet once: during registration. After that, only one-way hashes of the password (preferably salted with a nonce) should ever be exchanged between server and client. In addition, the password should be salt-hashed in the server's database.

At the very, very least: right now, please indicate on the registration form that "the password will be emailed to you."

‹ Bug: broken links

but email...

Submitted by listrophy on Fri, 01/18/2008 - 13:59.

Nevertheless, email is one of the least-secure electronic communication mechanisms. Passwords should never be sent via email.

What if I was someone who didn't understand security implications and just used one password for everything: OnOrbit, my bank, etc?

Also, I'm not sure if there's anything you can do about it, but my registration email was flagged as spam by Gmail. For the benefit of others, there has to be some way to improve an email's spam rating, but I've got no advice on that.

re: Issue: Password sent via email

Submitted by marcboucher on Fri, 01/18/2008 - 13:40.

SSL was setup for the launch but there was a bug and we're currently working on it.

Passwords are not stored in clear text.

--
Marc Boucher, Co-Founder and Chief Architect
SpaceRef Interactive Inc.